desktop: PIV / CAC / smart card authentication not working on GNU/Linux
I confirm (by marking “x” in the [ ] below: [x]):
- This is not a troubleshooting question. Troubleshooting questions go here: http://www.mattermost.org/troubleshoot/.
- This doesn’t reproduce on web browsers (such as in Chrome). If it does, issue reports go to the Mattermost Server repository.
- I have read contributing guidelines.
Summary I am not prompted for PIV / CAC / smart card unlock PIN or certificate selection when using the latest Mattermost desktop app on Linux.
Environment
- Operating System: Debian GNU/Linux
- Mattermost Desktop App version: 4.5.3
- Mattermost Server version: 5.25.1
Steps to reproduce
rm -rf $HOME/.config/Mattermostclear Mattermost droppings, as neither “Log Out” nor "Remove"ing a server clears prior logins`.../mattermost-desktoprun Mattermost- add Mattermost server and close settings window
- insert PIV / CAC / smart card
- proceed with server authentication; “click login button, await PIN / unlock prompt, choose certificate, proceed”
Expected behavior After clocking login button on server authentication page, the PIV / CAC / smart card should be used for authentication; prompting for PIN unlock if not already, then certificate selection if not already chosen, then confirmation/successful authentication. These pages are site specific of course, but this is the general procedure.
Observed behavior I am never prompted for PIV / CAC / smart card unlocking or certificate selection. I am able to authenticate with username / password + MFA as the server allows. It’s as though PIV / CAC / smart card features are silently not working or simply unimplemented on GNU/Linux.
Possible fixes I have not inspected the source for a possible fix, but other sources (co-workers) and pull requests indicate this functionality exists and works on other platforms. https://github.com/mattermost/desktop/pull/1148#issuecomment-575390778
After adding OpenSC PKCS #11 modules to the libnss database/system for my user, I am able to use PIV / CAC / smart card authentication with Mattermost web clients in Chromium. As well, adding OpenSC PKCS #11 module for Firefox works excellently.
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Reactions: 1
- Comments: 25 (6 by maintainers)
That would be great 😃. You can join the
Developers: Desktop Appchannel on Contributors or shoot me a DM@devin.binnie.the dialogs are displayed by either the OS or chromium. Once we detect we have at least one valid cert for the login we try to use it and send it to electron, which then asks for the pin.
I don’t think I have setup the piv card in ubuntu, but will try and see if it works or it gives me any info
Hey all,
I want to apologize for the lack of communication on these tickets regarding authentication. But I come with some good news: we’ve been working on separating the external login flow from the Desktop App, deferring to the browser like many other applications do. This should overall improve security and stability around the login process, as the current implementation requires a few hacks to make it work correctly.
As of today, we released Mattermost v9.1 which has this feature implemented, and should work with all existing Desktop App versions going back to at least v5.3.0. Going forward we will be supporting this login flow for all external providers using the Desktop App, and this should fix any issues around login flow. Your server will need to be upgraded to take advantage of this feature.
I’ll be closing these tickets for now as fixed, but feel free to comment and ask questions if you have any. Thanks for your patience 😃
Now that you mention it…
I have seen MM notification popups on my Linux desktop now and then.
…but…
They are rather short-lived. If I happen to be sitting at my desk and looking at my screen during the small number of seconds it’s visible, great, mission accomplished. If my attention is elsewhere, it doesn’t really matter that the notification went by.
As an example…
We use GSuite extensively, especially for email and calendar.
GMail’s new-message notifications are like MM’s – short-lived. But for that, it’s okay, because 1) emails are so frequent that if their notifications stayed on the desktop until dismissed, the desktop would frequently be overwhelmed; and 2) I pretty much “live” in my email tab most of the time, so even if I miss a notification, it won’t be long before I see the email anyway.
Google Calendar’s meeting reminder notification popups stay on the desktop until you dismiss them. And, for that app, that is the preference. Because meetings don’t happen often enough to overwhelm the desktop (most days). And because meetings are more time sensitive then (most) emails, so it’s good to minimize the chance that you miss the notification.
Since folks tend to consider MM messages more time sensitive than email, it might be preferable if MM notifications remained on the desktop until dismissed.
FWIW, I did have a quick look at both MM notification settings and Chrome notification settings to see if that was a preference I could set myself. Didn’t see anything.
phil
p.s., one could argue that since, by my own assertions, people tend to prefer MM over email for time sensitive messages, then maybe I should change my habits so that I “live” more in my MM tab than my GMail tab. That’s a fair point. And I’m working on that. Nevertheless, I still think it would be appropriate if the MM notification were (or could be made to be) persistent-until-dismissed.
p.p.s., I have only seen MM notifications on my desktop very rarely. Noticed it the first time maybe 3 or 4 weeks ago, but have only seen 2 or 3 ever. Despite being messaged, directly, a few times a day. I suppose it’s possible that every such message to me has generated a desktop notification, the majority of which I have just missed. But I strongly suspect that notifications just don’t always happen. I wish I had something more definitive to give you…
– Phil Dumont Solid State Scientific Corporation Ph: 603-598-1194 x127 Fx: 603-598-1197
On Mon, Mar 14, 2022 at 2:06 AM RealAstolfo @.***> wrote:
I, too, am using Ubuntu. Specifically, 18.04.5 LTS (Bionic Beaver). Have also tried on Ubuntu 16.04.7 LTS (Xenial Xerus), with similar results.
In both cases, the PKCS library I’m using is opensc-pkcs11.so, from the opensc-pkcs11 package.
And – I don’t think it matters, but full disclosure: for the Ubuntu 18.04.5 distro, it’s actually running on Windows Subsystem for Linux, and getting at the card reader via USBIP. But since everything else in WSL (web browsers, command-line ssh) can use the card reader just fine, it would appear that USBIP is doing its job well.
The 16.04.7 system I’m using is on bare metal.
I rather agree this is not high priority. I’d like the extra features of the MatterMost gui, if they were easy to get to. But the web interface is serving me well enough for now. Don’t knock yourself out on this for my sake.
phil
p.s. You might be tempted to say: “Well, since you are running WSL, you must be running that on Windows. So… why not install the Windows version of the MatterMost GUI on your Windows system and use that?” I would. But while the card reader is being made available to WSL vis USBIP, it is no longer usable by Windows. And I pretty much live in WSL. (I’m a *nix weenie from way back, and refuse to convert completely to MS without a fight.)
– Phil Dumont Solid State Scientific Corporation Ph: 603-598-1194 x127 Fx: 603-598-1197
On Mon, Aug 2, 2021 at 5:50 PM Nathan Schulte @.***> wrote:
thanks for the detailed info. I’ve created a ticket, testing PIV carsd is always a bit complicated, sorry about it.